Martin Paul Eve bio photo

Martin Paul Eve

Professor of Literature, Technology and Publishing at Birkbeck, University of London

Email Books Twitter Github Stackoverflow MLA CORE Institutional Repo Hypothes.is ORCID ID  ORCID iD Wikipedia Pictures for Re-Use

Having read two great posts on OpenSSH best practices, I decided today that I wanted to upgrade my SSH key architecture to use Elliptical Curve Cryptography. There were several gotchas involved that I thought it would be worth sharing here. There are, at the time of writing, no packages for Fedora 15 or Debian stable that I could find, so I've worked from source.

Getting ECC working on some systems can be a bit of a pain. Fedora, in particular, has decided, due to patent encumbrance, to remove the header include files for OpenSSL's ECC implementation. To get around this, I therefore recommend reinstalling OpenSSL from source from their site. You will be able to tell whether your distro will have this problem because, in the ./configure output of OpenSSH you will encounter:

checking whether OpenSSL has complete ECC support... no

An easy way to check is to look for the presence of /usr/include/openssl/ecdsa.h

So, once you've got the latest and greatest OpenSSL installed, download the latest OpenSSH portable tar.gz. Then, you'll want to run the following.

On Fedora 15 (after installing OpenSSL from source; last command in this list needs to be root):

tar -xzf openssh-5.8p2.tar.gz
cd openssh-5.8p2
./configure --with-selinux --bindir=/usr/bin --sbindir=/usr/sbin --with-ssl-dir=/usr/local/ssl/
make
make install

On Debian/Ubuntu (not necessary to install OpenSSL from source):

tar -xzf openssh-5.8p2.tar.gz
cd openssh-5.8p2
./configure --bindir=/usr/bin --sbindir=/usr/sbin
make
sudo make install

You can then use the setup as expected.

ssh-keygen -t ecdsa -b 521
ssh-copy-id -i ~/.ssh/id_ecdsa.pub user@server.tld

Featured image by Koen Photos under a CC-BY-ND license.